Supply Chain Cyberattacks Surged 200% in 2017

Major software update compromises occurred at least once a month last year as attackers adopted this more stealthy and efficient way to reach their targets – compared to just three such attacks per year previously.

That 200% increase in such supply chain attacks only accounts for breaches in 2017 that were reported publicly, so the actual rate of these attacks could be even higher, according to new cyber threat data from Symantec's annual "Internet Security Threat Report," published today.

These are attacks where hackers hijack the software update process and replace it with malicious code; the most high-profile of these incidents last year was NotPetya, where Russian hackers compromised a Ukrainian accounting vendor's software as a way to spread malware to its targets.

"All of a sudden this is a huge issue," says Kevin Haley, director of Symantec Security Response. "This is something organizations really need to be concerned about. It's not just some on-offs."

Supply chain attacks were one of the main trends cited by Crowdstrike in its annual threat report as well. In additon to NotPetya, there were attacks on Avast's CCleaner and the HandBrake media player software for Apple Mac machines, notes Adam Meyers, vice president of intelligence at Crowdstrike. Attackers can target victims via plugins and other software updates, he says.

"It used to be that we talked about the hardware supply chain" being at risk, Meyers says. "Now you get updates via an app store that will validate as much as possible" but still can be corrupted or abuse permissions, he says.

It's tough to defend against supply chain attacks because patching software with the latest releases is a best security practice. "You can't stop" patching, but organizations should start looking at their supply chain vendors and be sure they are protecting them," Symantec's Haley says.

Behavior monitoring is another way to track any suspicious activity with an application update, but app vendors also need controls to catch any unauthorized changes in their update systems and processes, Symantec advises.

The spike in supply chain attacks coincided last year with a drop in zero-day attacks detected by Symantec. It's getting harder to find - and less appealing to burn – expensive zero-day vulnerabilities in an attack. Just under 30% of the 140 cyber threat groups Symantec tracks that wage targeted attacks have ever used an 0day in an attack. It's all part of the trend of sophisticated attackers employing legitimate tools and applications on their victims' networks to stay camouflaged for the long haul.

Targeted cyberattacks increased by 10% last year, with some 90% of the attacks purely for intelligence-gathering, including spying, information-stealing, and surveillance. Most of the attackers here are nation-state sponsored groups. About 10% of targeted attack groups wage disruptive attacks on their victims. Another 9% are doing so for financial gain, and spear phishing is the main initial attack vector (71%) in all targeted attacks.

Symantec has discovered an average of three new targeted attack groups per year, it says, and the most active ones hit an average of 42 organizations in the past three years. Researchers at Symantec identified 29 new such groups this past year. "And those are only the ones we know about," Haley says.

The US unsurprisingly is the most attacked, with nearly 30% of all targeted attack incidents.

Destructive targeted attacks that cause disruption or destroy data are on the rise, however. Like 0days, they call often unwanted attention to the attackers, so it's a calculated risk for the threat group to wage one. Just 6% of the targeted attack groups Symantec watches deploy destructive malware, but that number could rise.

"'Success' breeds imitation. Those attacks can be looked at as a success. We expect to see more" attacks inspired by known destructive attacks, Haley says.

One of the more infamous such attacks was by North Korea's Lazarus Group against Sony Pictures in 2014. The hackers dumped emails, unreleased movies, and wiped hard drives as part of the noisy and destructive hack purportedly in response to a film considered disparaging to Kim Jong-un.

Cryptocurrency Mining Cashes In

One of the most dramatic shifts in security threats Symantec studied in 2017 was the eyepopping 34,000% (yes, that's three zeroes) increase in cryptocurrency mining attack attempts. These so-called cryptojacking attacks infect victim computers in order to use their processing power (and electricity) to mine virtual currency in massive quantities. In December 2017 alone, the security firm blocked more than 8 million of these attacks, and in the fourth quarter of 2017, Symantec endpoint technology saw an 8,500% increase in detections of cryptojacking malware.

Cybercriminals – and nation-states such as North Korea – dropped ransomware for the most part in exchange for the more lucrative and easier to deploy cryptojacking attacks. While the wave now is riding the exchange rate for virtual currency, Haley doesn't expect these attacks to decline any time soon.

The attack rates are holding at highs so far this year, he says. "They are not going away."

As the average price for ransomware attacks dropped, attackers jumped ship to cryptojacking. "We think there is some movement from ransomware to" cryptojacking because it's easier money, he says. "With ransomware, there were way too many competitors in the market and they were overpricing their product. Only so many victims were willing to pay to get their files back: they were not going to pay $1,000," for instance, he says.

The average ransom demand in 2017 declined by about 50%, to $522, but the number of ransomware variants actually rose by 46%. So ransomware isn't dead.

The challenge with cryptomining versus ransomware is the visibility and pain of the attack: ransomware was an in-your-face, work-stop event, for example. Cryptocoin mining can be less obvious and some organizations don't consider that it's a form of hacking. The malware, though, can ultimately can drag down machine performance, overheat batteries, sap electricity, and even break components and cause an enterprise network shutdown. There's also the risk of being billed for the attackers' use of CPUs via your cloud provider, Symantec notes in its report.

Haley says enterprises are prime targets for cryptocurrency attacks, even if the currency value declines. "Enterprises have more processing power, so if I want to maximize my earnings, that's where I can go to get even more powerful systems," he says. Employees, too, may abuse their corporate networks to mine coins.

Meantime, Symantec saw mobile malware variants increase by 54% last year over 2016. Its products blocked some 24,000 malicious mobile apps per day. Android devices continue to be the biggest security problem for enterprises and consumers, as only 20% of Android users have devices with the most up-to-date software.

Another hotspot to watch out for: Internet of Things (IoT) threats. Symantec said attacks on IoT rose 600% last year.

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here. Early Bird Rates Expire Friday March 23. Use Promo Code DR200 to save $200.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.

Certain versions between 2.x to 5.x (refer to advisory) of the NetApp Service Processor firmware were shipped with a default account enabled that could allow unauthorized arbitrary command execution. Any platform listed in the advisory Impact section may be affected and should be upgraded to a fixed...

An XML External Entity Injection (XXE) vulnerability in the Management System (console) of BlackBerry AtHoc versions earlier than 7.6 HF-567 could allow an attacker to potentially read arbitrary local files from the application server or make requests on the network by entering maliciously crafted X...